Washington State Amends Breach Notification Law to Expand Notification Requirements

On April 23, 2015, Washington State Governor Jay Inslee signed into law a bill strengthening the state’s data breach notification law (amending Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creating a new section). H.B. 1078 makes the following substantial changes to the existing law:

Under the current law, businesses and agencies that own or license computerized data including personal information about a Washington resident must disclose any breach in the security of the system involving such personal information that is unencrypted. H.B. 1078 expands this requirement to include:

both computerized and hard copy data that contain personal information that is not “secured;” and

encrypted information when the person gaining unauthorized access to the data had access to the encryption key or an alternative means of deciphering the “secured” data. The amendment also provides a standard for encryption.

H.B. 1078 adds federal preemption language for entities covered under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) – such entities are deemed compliant with the new law if they complied with §13402 of the federal Health Information Technology for Economic and Clinical Health Act. Some financial institutions under the authority of federal regulators under the Gramm-Leach Bliley Act are also deemed in compliance with the new law if they notify in compliance with applicable federal guidelines. In each case, they still have requirements to notify the state Attorney General.

H.B. 1078 adds content requirements for notification to provide consumers with basic information to help secure or recover their identities:

the name and contact information for the reporting entity;

the types of personal information that were subject to the breach; and

toll-free telephone numbers and addresses for the major credit reporting agencies.

The new law requires consumer notification in the most expedient time possible and without unreasonable delay, and no more than 45 days after the breach was discovered (however, notice is not required if the security breach is not reasonably likely to subject consumers to a risk of harm). If more than 500 Washington residents must be notified under the law, H.B. 1078 requires that notice also be provided to the attorney general by the time notice is provided to consumers, including a copy of the notice sent to consumers (eliminating any personal information) as well as an estimated number of Washington residents affected by the breach.

In addition to the private right of action which existed under the law prior to the amendment, under H.B. 1078, the attorney general is given the right to enforce the law.

The changes to Washington State’s existing breach notification laws are meant to clarify any ambiguity regarding the scope of the law and how and when it applies to encrypted data that has been compromised. Large data breaches on the front pages of newspapers have led to increased scrutiny of existing laws and procedures, including bipartisan legislation currently making its way through Congress.

Stay Connected

About Proskauer Rose LLP

Proskauer is a leading international law firm focused on creating value. Our roots go back to 1875, when we were founded in New York City. With 725+ lawyers active in virtually every major market worldwide, we are recognized not only for our legal excellence, but also our dedication to client service.

Our clients include many of the world’s top companies, financial institutions, investment funds, not-for-profit institutions, governmental entities and other organizations across industries and borders. We also represent individuals in transactions and other matters.

In addition to New York, we have offices in Beijing, Boston, Chicago, Hong Kong, London, Los Angeles, Paris, São Paulo and Washington, D.C., as well as Boca Raton, Newark and New Orleans.

This Blog/Web Site is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Web Site publisher. The Blog/Web Site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.